RubyGems - doorkeeper - Versions diffs - 5.5.2 → 5.5.3 - Mend

doorkeeper 5.5.2 → 5.5.3

Potentially problematic release.

This version of doorkeeper might be problematic. Click here for more details.

Files changed (23) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +7 -0
data/README.md +12 -12
data/app/controllers/doorkeeper/authorizations_controller.rb +1 -1
data/app/controllers/doorkeeper/tokens_controller.rb +3 -3
data/app/helpers/doorkeeper/dashboard_helper.rb +1 -1
data/config/locales/en.yml +3 -0
data/lib/doorkeeper/models/access_grant_mixin.rb +1 -1
data/lib/doorkeeper/models/access_token_mixin.rb +1 -1
data/lib/doorkeeper/oauth/authorization_code_request.rb +1 -1
data/lib/doorkeeper/oauth/forbidden_token_response.rb +2 -1
data/lib/doorkeeper/oauth/helpers/unique_token.rb +2 -2
data/lib/doorkeeper/oauth/helpers/uri_checker.rb +3 -3
data/lib/doorkeeper/oauth/password_access_token_request.rb +1 -1
data/lib/doorkeeper/oauth/refresh_token_request.rb +1 -1
data/lib/doorkeeper/oauth/token_introspection.rb +3 -3
data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb +1 -0
data/lib/doorkeeper/orm/active_record/mixins/access_token.rb +1 -0
data/lib/doorkeeper/orm/active_record/mixins/application.rb +1 -0
data/lib/doorkeeper/version.rb +1 -1
data/lib/generators/doorkeeper/templates/initializer.rb +4 -4
data/lib/generators/doorkeeper/templates/migration.rb.erb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9b8f700b4b7e5e40df07c8679ec477db21fe96ed05d70a5e6cb50c62cac886c2
-  data.tar.gz: cc34f22bd2800620f9b901a0025f569a0299a1105a7350ba95b62b34b7f5cdad
+  metadata.gz: 55ced432e71b3066f090735a7f68d95954ef41ec19f371b6ce4244bd2d462c64
+  data.tar.gz: 35da75b4534aa7ac1ceb3ad35d5bc40a4173c06de05212b9e36f88795c083f65
 SHA512:
-  metadata.gz: 27d0ae20071180742cb735351165d808d8d3a6f0571ce12fc741f572fb9f69c789d760c299fa5a31814790611474e3eed12fb2a8ab4902151c21a847855fa8d3
-  data.tar.gz: 64e39c64aa61cf27ee0418be14880b9bb1ce23159a6ee61af4d32b1a187ddcb32f70402799bb9f673a1d3a1efe1abd2e9b940564d05e161a7aee737497af1d54
+  metadata.gz: 8336b6956cfddc0fc8b65923327eddda5ecdf2577c6e5b5cc5bc30aa675624313f3008b4b46cabecfca5b35a8df7f612e0b43974c4668b119254918a3ee1c9a2
+  data.tar.gz: 44ce41f014ea4e04f9626bc929c543ab593fc0087aa70bd011f064a76a6b3f4773c70ed285bcd4996eab5313f8ca278182075b3f912c947fb622a77179e33860

data/CHANGELOG.md CHANGED Viewed

@@ -9,6 +9,13 @@ User-visible changes worth mentioning.
 - [#PR ID] Add your PR description here.
+## 5.5.3
+- [#1528] Don't allow extra query params in redirect_uri.
+- [#1525] I18n source for forbidden token error is now `doorkeeper.errors.messages.forbidden_token.missing_scope`.
+- [#1531] Disable `strict-loading` for Doorkeeper models by default.
+- [#1532] Add support for Rails 7.
 ## 5.5.2
 - [#1502] Drop support for Ruby 2.4 because of EOL.

data/README.md CHANGED Viewed

@@ -14,18 +14,18 @@ functionality to your Ruby on Rails or Grape application.
 Supported features:
-- [The OAuth 2.0 Authorization Framework](https://tools.ietf.org/html/rfc6749)
-  - [Authorization Code Flow](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.1)
-  - [Access Token Scopes](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-3.3)
-  - [Refresh token](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-1.5)
-  - [Implicit grant](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.2)
-  - [Resource Owner Password Credentials](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.3)
-  - [Client Credentials](http://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-4.4)
-- [OAuth 2.0 Token Revocation](http://tools.ietf.org/html/rfc7009)
-- [OAuth 2.0 Token Introspection](https://tools.ietf.org/html/rfc7662)
-- [OAuth 2.0 Threat Model and Security Considerations](http://tools.ietf.org/html/rfc6819)
-- [OAuth 2.0 for Native Apps](https://tools.ietf.org/html/draft-ietf-oauth-native-apps-10)
-- [Proof Key for Code Exchange by OAuth Public Clients](https://tools.ietf.org/html/rfc7636)
+- [The OAuth 2.0 Authorization Framework](https://datatracker.ietf.org/doc/html/rfc6749)
+  - [Authorization Code Flow](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1)
+  - [Access Token Scopes](https://datatracker.ietf.org/doc/html/rfc6749#section-3.3)
+  - [Refresh token](https://datatracker.ietf.org/doc/html/rfc6749#section-1.5)
+  - [Implicit grant](https://datatracker.ietf.org/doc/html/rfc6749#section-4.2)
+  - [Resource Owner Password Credentials](https://datatracker.ietf.org/doc/html/rfc6749#section-4.3)
+  - [Client Credentials](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4)
+- [OAuth 2.0 Token Revocation](https://datatracker.ietf.org/doc/html/rfc7009)
+- [OAuth 2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662)
+- [OAuth 2.0 Threat Model and Security Considerations](https://datatracker.ietf.org/doc/html/rfc6819)
+- [OAuth 2.0 for Native Apps](https://datatracker.ietf.org/doc/html/rfc8252)
+- [Proof Key for Code Exchange by OAuth Public Clients](https://datatracker.ietf.org/doc/html/rfc7636)
 ## Table of Contents

data/app/controllers/doorkeeper/authorizations_controller.rb CHANGED Viewed

@@ -66,7 +66,7 @@ module Doorkeeper
         elsif pre_auth.form_post_response?
           render :form_post
         else
-          redirect_to auth.redirect_uri
+          redirect_to auth.redirect_uri, allow_other_host: true
         end
       else
         render json: auth.body, status: auth.status

data/app/controllers/doorkeeper/tokens_controller.rb CHANGED Viewed

@@ -12,7 +12,7 @@ module Doorkeeper
       handle_token_exception(e)
     end
-    # OAuth 2.0 Token Revocation - http://tools.ietf.org/html/rfc7009
+    # OAuth 2.0 Token Revocation - https://datatracker.ietf.org/doc/html/rfc7009
     def revoke
       # The authorization server responds with HTTP status code 200 if the client
       # submitted an invalid token or the token has been revoked successfully.
@@ -94,8 +94,8 @@ module Doorkeeper
     # types, they set the application_id as null (since the claim cannot be
     # verified).
     #
-    # https://tools.ietf.org/html/rfc6749#section-2.1
-    # https://tools.ietf.org/html/rfc7009
+    # https://datatracker.ietf.org/doc/html/rfc6749#section-2.1
+    # https://datatracker.ietf.org/doc/html/rfc7009
     def authorized?
       # Token belongs to specific client, so we need to check if
       # authenticated client could access it.

data/app/helpers/doorkeeper/dashboard_helper.rb CHANGED Viewed

@@ -6,7 +6,7 @@ module Doorkeeper
       return if object.errors[method].blank?
       output = object.errors[method].map do |msg|
-        content_tag(:span, class: "form-text") do
+        content_tag(:span, class: "invalid-feedback") do
           msg.capitalize
         end
       end

data/config/locales/en.yml CHANGED Viewed

@@ -125,6 +125,9 @@ en:
         revoke:
           unauthorized: "You are not authorized to revoke this token"
+        forbidden_token:
+          missing_scope: 'Access to this resource requires scope "%{oauth_scopes}".'
     flash:
       applications:
         create:

data/lib/doorkeeper/models/access_grant_mixin.rb CHANGED Viewed

@@ -49,7 +49,7 @@ module Doorkeeper
       end
       # Implements PKCE code_challenge encoding without base64 padding as described in the spec.
-      # https://tools.ietf.org/html/rfc7636#appendix-A
+      # https://datatracker.ietf.org/doc/html/rfc7636#appendix-A
       #   Appendix A.  Notes on Implementing Base64url Encoding without Padding
       #
       #   This appendix describes how to implement a base64url-encoding

data/lib/doorkeeper/models/access_token_mixin.rb CHANGED Viewed

@@ -279,7 +279,7 @@ module Doorkeeper
     end
     # Access Token type: Bearer.
-    # @see https://tools.ietf.org/html/rfc6750
+    # @see https://datatracker.ietf.org/doc/html/rfc6750
     #   The OAuth 2.0 Authorization Framework: Bearer Token Usage
     #
     def token_type

data/lib/doorkeeper/oauth/authorization_code_request.rb CHANGED Viewed

@@ -6,7 +6,7 @@ module Doorkeeper
       validate :params,       error: :invalid_request
       validate :client,       error: :invalid_client
       validate :grant,        error: :invalid_grant
-      # @see https://tools.ietf.org/html/rfc6749#section-5.2
+      # @see https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
       validate :redirect_uri, error: :invalid_grant
       validate :code_verifier, error: :invalid_grant

data/lib/doorkeeper/oauth/forbidden_token_response.rb CHANGED Viewed

@@ -23,7 +23,8 @@ module Doorkeeper
       end
       def description
-        @description ||= @scopes.map { |s| I18n.t(s, scope: %i[doorkeeper scopes]) }.join("\n")
+        @description ||= I18n.t("doorkeeper.errors.messages.forbidden_token.missing_scope",
+                                oauth_scopes: @scopes.map(&:to_s).join(" "),)
       end
       protected

data/lib/doorkeeper/oauth/helpers/unique_token.rb CHANGED Viewed

@@ -11,8 +11,8 @@ module Doorkeeper
           # Access Token value must be 1*VSCHAR or
           # 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) *"="
           #
-          # @see https://tools.ietf.org/html/rfc6749#appendix-A.12
-          # @see https://tools.ietf.org/html/rfc6750#section-2.1
+          # @see https://datatracker.ietf.org/doc/html/rfc6749#appendix-A.12
+          # @see https://datatracker.ietf.org/doc/html/rfc6750#section-2.1
           #
           generator = options.delete(:generator) || SecureRandom.method(default_generator_method)
           token_size = options.delete(:size) || 32

data/lib/doorkeeper/oauth/helpers/uri_checker.rb CHANGED Viewed

@@ -19,22 +19,22 @@ module Doorkeeper
           url = as_uri(url)
           client_url = as_uri(client_url)
-          unless client_url.query.nil?
+          unless client_url.query.nil? && url.query.nil?
             return false unless query_matches?(url.query, client_url.query)
             # Clear out queries so rest of URI can be tested. This allows query
             # params to be in the request but order not mattering.
             client_url.query = nil
+            url.query = nil
           end
           # RFC8252, Paragraph 7.3
-          # @see https://tools.ietf.org/html/rfc8252#section-7.3
+          # @see https://datatracker.ietf.org/doc/html/rfc8252#section-7.3
           if loopback_uri?(url) && loopback_uri?(client_url)
             url.port = nil
             client_url.port = nil
           end
-          url.query = nil
           url == client_url
         end

data/lib/doorkeeper/oauth/password_access_token_request.rb CHANGED Viewed

@@ -57,7 +57,7 @@ module Doorkeeper
       #
       #    o  authenticate the client if client authentication is included,
       #
-      #   @see https://tools.ietf.org/html/rfc6749#section-4.3
+      #   @see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3
       #
       def validate_client
         if Doorkeeper.config.skip_client_authentication_for_password_grant

data/lib/doorkeeper/oauth/refresh_token_request.rb CHANGED Viewed

@@ -101,7 +101,7 @@ module Doorkeeper
         client.present?
       end
-      # @see https://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-1.5
+      # @see https://datatracker.ietf.org/doc/html/rfc6749#section-1.5
       #
       def validate_client_match
         return true if refresh_token.application_id.blank?

data/lib/doorkeeper/oauth/token_introspection.rb CHANGED Viewed

@@ -4,7 +4,7 @@ module Doorkeeper
   module OAuth
     # RFC7662 OAuth 2.0 Token Introspection
     #
-    # @see https://tools.ietf.org/html/rfc7662
+    # @see https://datatracker.ietf.org/doc/html/rfc7662
     class TokenIntrospection
       def initialize(server, token)
         @server = server
@@ -107,7 +107,7 @@ module Doorkeeper
       # authorization server SHOULD NOT include any additional information
       # about an inactive token, including why the token is inactive.
       #
-      # @see https://tools.ietf.org/html/rfc7662 2.2. Introspection Response
+      # @see https://datatracker.ietf.org/doc/html/rfc7662 2.2. Introspection Response
       #
       def failure_response
         {
@@ -186,7 +186,7 @@ module Doorkeeper
       # Provides context (controller) and token for generating developer-specific
       # response.
       #
-      # @see https://tools.ietf.org/html/rfc7662#section-2.2
+      # @see https://datatracker.ietf.org/doc/html/rfc7662#section-2.2
       #
       def customize_response(response)
         customized_response = Doorkeeper.config.custom_introspection_response.call(

data/lib/doorkeeper/orm/active_record/mixins/access_grant.rb CHANGED Viewed

@@ -6,6 +6,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
     included do
       self.table_name = compute_doorkeeper_table_name
+      self.strict_loading_by_default = false if respond_to?(:strict_loading_by_default)
       include ::Doorkeeper::AccessGrantMixin

data/lib/doorkeeper/orm/active_record/mixins/access_token.rb CHANGED Viewed

@@ -6,6 +6,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
     included do
       self.table_name = compute_doorkeeper_table_name
+      self.strict_loading_by_default = false if respond_to?(:strict_loading_by_default)
       include ::Doorkeeper::AccessTokenMixin

data/lib/doorkeeper/orm/active_record/mixins/application.rb CHANGED Viewed

@@ -6,6 +6,7 @@ module Doorkeeper::Orm::ActiveRecord::Mixins
     included do
       self.table_name = compute_doorkeeper_table_name
+      self.strict_loading_by_default = false if respond_to?(:strict_loading_by_default)
       include ::Doorkeeper::ApplicationMixin

data/lib/doorkeeper/version.rb CHANGED Viewed

@@ -5,7 +5,7 @@ module Doorkeeper
     # Semantic versioning
     MAJOR = 5
     MINOR = 5
-    TINY = 2
+    TINY = 3
     PRE = nil
     # Full version number

data/lib/generators/doorkeeper/templates/initializer.rb CHANGED Viewed

@@ -276,7 +276,7 @@ Doorkeeper.configure do
   # force_ssl_in_redirect_uri { |uri| uri.host != 'localhost' }
   # Specify what redirect URI's you want to block during Application creation.
-  # Any redirect URI is whitelisted by default.
+  # Any redirect URI is allowed by default.
   #
   # You can use this option in order to forbid URI's with 'javascript' scheme
   # for example.
@@ -343,8 +343,8 @@ Doorkeeper.configure do
   #
   # implicit and password grant flows have risks that you should understand
   # before enabling:
-  #   http://tools.ietf.org/html/rfc6819#section-4.4.2
-  #   http://tools.ietf.org/html/rfc6819#section-4.4.3
+  #   https://datatracker.ietf.org/doc/html/rfc6819#section-4.4.2
+  #   https://datatracker.ietf.org/doc/html/rfc6819#section-4.4.3
   #
   # grant_flows %w[authorization_code client_credentials]
@@ -387,7 +387,7 @@ Doorkeeper.configure do
   # Be default all Resource Owners are authorized to any Client (application).
   #
   # authorize_resource_owner_for_client do |client, resource_owner|
-  #   resource_owner.admin? || client.owners_whitelist.include?(resource_owner)
+  #   resource_owner.admin? || client.owners_allowlist.include?(resource_owner)
   # end
   # Hook into the strategies' request & response life-cycle in case your

data/lib/generators/doorkeeper/templates/migration.rb.erb CHANGED Viewed

@@ -61,7 +61,7 @@ class CreateDoorkeeperTables < ActiveRecord::Migration<%= migration_version %>
       # *the client MUST discard the old refresh token* and replace it with the
       # new refresh token. The authorization server MAY revoke the old
       # refresh token after issuing a new refresh token to the client.
-      # @see https://tools.ietf.org/html/rfc6749#section-6
+      # @see https://datatracker.ietf.org/doc/html/rfc6749#section-6
       #
       # Doorkeeper implementation: if there is a `previous_refresh_token` column,
       # refresh tokens will be revoked after a related access token is used.

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: doorkeeper
 version: !ruby/object:Gem::Version
-  version: 5.5.2
+  version: 5.5.3
 platform: ruby
 authors:
 - Felipe Elias Philipp
@@ -11,7 +11,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-06-11 00:00:00.000000000 Z
+date: 2021-09-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties